default rbac for oap (#111)

chart/skywalking/templates/_helpers.tpl

@@ -75,7 +75,11 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 Create the name of the service account to use for the oap cluster
 */}}
 {{- define "skywalking.serviceAccountName.oap" -}}
-{{ default (include "skywalking.oap.fullname" .) .Values.serviceAccounts.oap }}
+{{- if .Values.serviceAccounts.oap.create -}}
+    {{ default (include "skywalking.oap.fullname" .) .Values.serviceAccounts.oap.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccounts.oap.name }}
+{{- end -}}
 {{- end -}}
 
 {{/*

chart/skywalking/templates/oap-clusterrole.yaml

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-{{- if .Values.oap.envoy.als.enabled }}
+{{- if .Values.serviceAccounts.oap.create }}
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -30,4 +30,4 @@ rules:
 - apiGroups: ["extensions"]
   resources: ["deployments", "replicasets"]
   verbs: ["get", "watch", "list"]
-{{- end }}
+{{- end }}

chart/skywalking/templates/oap-clusterrolebinding.yaml

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-{{- if .Values.oap.envoy.als.enabled }}
+{{- if .Values.serviceAccounts.oap.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:

chart/skywalking/templates/oap-role.yaml

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-{{- if not .Values.oap.envoy.als.enabled }}
+{{- if .Values.serviceAccounts.oap.create }}
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:

chart/skywalking/templates/oap-rolebinding.yaml

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-{{- if not .Values.oap.envoy.als.enabled }}
+{{- if .Values.serviceAccounts.oap.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:

chart/skywalking/templates/oap-serviceaccount.yaml

@@ -13,6 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+{{- if .Values.serviceAccounts.oap.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -23,3 +24,4 @@ metadata:
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
   name: {{ template "skywalking.serviceAccountName.oap" . }}
+{{- end }}

chart/skywalking/values.yaml

@@ -19,6 +19,9 @@
 
 serviceAccounts:
   oap:
+    # By default, create SkyWalking's ServiceAccount. If set to false, you also need to change `serviceAccounts.oap.name` value to a custom ServiceAccount name.
+    create: true
+    name: ""
 
 imagePullSecrets: []
 
@@ -76,10 +79,6 @@ oap:
     # runAsUser: 1000
     # runAsGroup: 1000
     # fsGroup: 1000
-  envoy:
-    als:
-      enabled: false
-      # more envoy ALS ,please refer to https://github.com/apache/skywalking/blob/master/docs/en/setup/envoy/als_setting.md#observe-service-mesh-through-als
   env:
     # more env, please refer to https://hub.docker.com/r/apache/skywalking-oap-server
     # or https://github.com/apache/skywalking-docker/blob/master/6/6.4/oap/README.md#sw_telemetry

test/e2e/e2e.yaml

@@ -50,7 +50,6 @@ setup:
                        --set oap.env.SW_ENVOY_METRIC_ALS_HTTP_ANALYSIS=k8s-mesh \
                        --set oap.env.SW_ENVOY_METRIC_ALS_TCP_ANALYSIS=k8s-mesh \
                        --set oap.env.K8S_SERVICE_NAME_RULE='e2e::${service.metadata.name}' \
-                       --set oap.envoy.als.enabled=true \
                        --set oap.replicas=1 \
                        --set ui.image.repository=$UI_REPO \
                        --set ui.image.tag=$UI_TAG \